Cyber-attacks are growing in volume and sophistication, with threat actors often hiding many months undetected. When did you test last for vulnerabilities to reduce the risk of possible attacks?
What is the purpose of Vulnerability Testing?
The primary goal is to identify and reduce the risk of threat actors exploiting vulnerabilities in your infrastructure by reducing your attack surface and improving the overall security and resilience of your entire IT infrastructure.
What should be assessed?
Vulnerability testing, also called vulnerability assessment, should regularly test your end-devices, servers, and applications. To fully assess the possible attack surface, it is critical to test the network infrastructure, including the wired and wireless access network, the managed and unmanaged transport network, as well as the application network infrastructure in the data center and cloud. This is vital for a comprehensive vulnerability assessment, as threat actors can hide in and manipulate the network infrastructure for their exploits.
What causes Vulnerabilities?
Vulnerabilities are weaknesses and risks in your infrastructure that can be exploited by threat actors:
- System vulnerabilities are all devices with hardware or software flaws, outdated or unpatched software or operating systems, or configurations that can be exploited. These include all systems operated by the organization such as:
- Applications and their delivery infrastructure such as web servers and databases
- Servers, virtual and physical
- Endpoints including mobile devices, BYOD, or even Operational Technology (OT) sensors and systems
- The network infrastructure, wired and wireless, including network services such as DHCP and DNS.
- User behavior creates vulnerabilities when company insiders accidentally expose or maliciously leak confidential or sensitive information. Examples are users clicking on a link or opening an attachment that installs malware on their systems or using weak or compromised login credentials.
- Cyber criminals may have already breached your defenses and attacks are already underway that you are not aware of. Attackers often linger many months in your infrastructure undetected, looking for vulnerabilities, assessing and exploiting user’s credentials for additional access, creating backdoors for later attacks, or staging data for exfiltration or ransomware attacks.
How are vulnerabilities exploited?
The primary goal of attackers is to either get access to valuable and proprietary information or to control the infrastructure or data for later ransomware attacks. In most cases, threat actors explore in environments for months to exploit weaknesses, expand their foothold, and to prepare for future attacks by:
- Intercepting or compromising authentication to impersonate users to gain access to data and systems
- Injecting commands into database queries to get access to sensitive data or to deceive users to unintentionally provide confidential or personal information
- Monitoring and recording information from memory, storage, or traffic directly of the network
- Injecting commands to execute actions on the host operating system
- Installing backdoors for easier access for future attacks or to exfiltrate valuable data
- Changing configurations in systems that allow attackers to bypass security measures or ensure easy access
What is the difference between vulnerability testing and penetration testing?
Vulnerability assessments and penetration testing are sometimes used interchangeably but are two different approaches to discovering vulnerabilities. Combined, they provide a comprehensive assessment of the risks in your infrastructure:
- Vulnerability testing discovers vulnerabilities that exist within your infrastructure but does not assess whether those could be exploited by an attacker.
- Penetration testing simulates a cyber-attack. Performed by offensive security professionals, also known as red teams, they are trying to penetrate and attack your infrastructure with various known techniques to determine whether unauthorized access or other malicious activities are possible.
Best practices for vulnerability scanning
There are many best practices for vulnerability scanning, all using the same primary four steps:
- Plan – Determine the scope of the test by mapping your infrastructure, identifying the attack surface to be tested, and what approach, tools, and resources to apply.
- Test – Identify, scan, and analyze your selected network, device, and application infrastructure
- Assess – Identifying, classifying, and prioritizing all weaknesses and risks that can be exploited by threat actors. You then remediate the most critical vulnerabilities, those that are most likely to be exploited and would negatively impact the business the most.
- Verify and reassess – repeat the assessment regularly to verify your fixes and to test for new vulnerabilities as threat actors continue to evolve their attacks.
What are the primary vulnerability testing methods?
Vulnerability testing uses two primary methods – active and passive testing:
- Passive Testing is an unintrusive observation to identify vulnerabilities by monitoring each system and the interactions it has with other users or devices. It analyses the communication traffic and assesses configurations, OS and software versions and updates, and various system settings.
- Active Testing is an intrusive and directive test and is more effective than passive testing in finding vulnerabilities. The tester actively interacts with the target system, sending login attempts and data requests and analyzing the response. Examples are:
- Port scans to find unprotected communication channels into the system or
- Sending malformed requests or packets to trigger an error response that may lead to an unwanted response or access to the system.
The primary drawback with this approach is that it can overwhelm the target system and may lead to unwanted performance degradations, resets, or even a complete shut-down if not done carefully.
What types of vulnerability testing are used to identify issues?
There are scanning methodologies for each infrastructure component, utilizing both passive and active testing methodologies. The primary ones are:
- Network scanning identifies vulnerabilities in the network itself and the devices connected to it. Network scanning discovers all the network devices, including switches, routers, Wi-Fi access points, firewalls, DNS and DHCP servers, and any endpoint connected to the network. It discovers all the active network device inventory, maps their topology, and tests all the active hardware and software in the network infrastructure. This allows to discover network segmentation issues that allow threat actors to move freely across the network as well as provisioning and configuration issues.
- Wireless network scans are specialized to identify security weaknesses in your Wi-Fi network, including malicious access points, and wireless configuration issues.
- Host scanning assesses vulnerabilities of all endpoints or hosts including servers, workstations, laptops, and mobile devices, as well as Operation Technology (OT) sensors. It determines vulnerabilities such as open ports, unsafe services, and misconfigurations, as well as software, OS, and patch levels.
- Application scanning tests any application for known software vulnerabilities and misconfigurations, including web applications and databases. They are done either for operational systems or by analyzing source code or applications before deployment.
- Cloud and virtual container vulnerability assessments focus on misconfigurations and unsafe software or services operated in cloud-hosted or virtual or containerized applications.
How can NetAlly’s CyberScope help?
Given what we’ve learned about vulnerability testing, how can a CyberScope security assessment help your organization improve their cybersecurity posture? As a cybersecurity scanner, CyberScope offers a unique perspective—like no other in the industry—at providing in-depth visibility at the notoriously problematic network edge. Let’s see how.
Even with a myriad of cybersecurity solutions available in the market at the network edge from change management, firewall, wireless, endpoint monitoring and beyond none can deliver the situational awareness of CyberScope. Why? Because only the portable hand-held CyberScope is designed to be physically present. This perspective enables the following capabilities:
- Endpoint and Network Discovery
- Wi-Fi Security confirmation
- Rogue AP and Client Location
- Segmentation & Provisioning Validation
- Network Vulnerability Assessment
According to a recent IDG survey of 308 IT decision-makers worldwide focusing on the IT crisis of visibility, 44% mentioned lack of visibility into all endpoints that connect to the network.
The built-in layer 2 and 3 network intelligence integrated with vulnerability features such as Nmap offer the benefits of:
- Collecting and correlating discovery with vulnerability data makes network snapshots against known baselines easy
- Fast on-site configuration testing of segmentation and provisioning rules
- Link-Live™ facilitates collaboration, reporting, and sharing including allowing common Nmap command and script dissemination.
For more information on CyberScope, visit our product page.